What makes an OT-IT and IIoT gateway architecture secure, with DataHub

How to request support

ATTENTION: the number to call is 02 00.70.31.47

The customer requesting support must specify:

parent company
name of the requesting person – name of the person to be contacted again, if different
correct telephone number or e-mail address to reply to
ASSISTANCE CODE of 6 numbers
Product you need support for:
- version number
- security key code (if provided)
operating system
reason for the call with details of the problem

Training

The purpose of ServiTecno's training courses is to allow customers to reach an adequate level of preparation in order to make the best use of the distributed products.

The course program follows a standard lineup of topics but, always on request, it is possible to customize them according to customer requests.

With the advent of Industry 4.0 and the IIoT, there is a growing interest in connecting control and automation systems of machines and plants to the Cloud, in industry as in utilities.

Companies can therefore obtain detailed information on their processes and can carry out analyzes on IoT platforms in the Cloud and use the results to improve performance.

One of the methods for connecting machines to the cloud is to use OPC UA for intra-plant communications and an MQTT gateway to send your data to the cloud. While this combination provides some inherent security features, it may not meet all security needs. To explain why, let's first look at a typical basic IoT gateway scenario and then at an advanced scenario that substantially increases plant security.

Typical scenario

A typical IIoT gateway combines two types of data exchange communications: In-Plant and Plant-to-Cloud. Let's say right away that OPC-UA is often recommended for secure communications for Industry 4.0 and Industrial IoT applications. (attention: OPC-UA is different from OPC-DA, it is its evolution).

That's because OPC-UA offers multilevel security, including application-level authentication and authorization, as well as encryption and data integrity through the use of transport-level certificates.

For connections outside the system, OPC-UA is not always secure as it requires the opening of a firewall port to allow an external client to connect to the system. It is true that it is possible to use devices with DPI (Deep-Packet-Inspection) and other firewalling rules for “ad-hoc” protection, but also that implementing such techniques is not always easy (and can even be expensive).

For these and other reasons, MQTT is sometimes used for connections from the plant to the Cloud.

MQTT is a useful protocol for an IoT gateway because it is supported by many Cloud services such as Microsoft Azure, Google Cloud and Amazon IoT Core, etc. With MQTT it is possible to make an outgoing connection from the plant to the cloud service without opening any incoming firewall port: which is essential for the security of the plant.

This is why an IoT software gateway solution such as Skkynet's "DataHub IoT Gateway" can offer secure connectivity within the plant via its OPC UA interface and at the same time secure outbound connection to the Cloud via MQTT.

An IIoT software gateway must be compatible and support all OPC-UA security features, furthermore, supporting secure outbound connection of MQTT, it should support secure transport layer, with SSL certificate. With this combination you can have a reasonably safer data path from the factory machine to the Cloud application.

But there is a drawback: a typical IIoT gateway that sends OPC-UA data to the Cloud needs a direct connection to the Internet (and a DMZ!). If the Company's security policies do not allow an Internet connection from the plant, it is necessary to think of something more secure.

Daisy Chain connection

For a more secure IIoT connection, sometimes you choose to use an isolated computer, an Edge or Communication-Server, outside the plant network, located in the DMZ (De-Militarized Zone) between the OT network and the IT/Enterprise network (as contained in the ISA/IEC62443 standard).

You could also choose to send a data stream from the OT network to an IT server, through the DMZ, and then convey the data to the Cloud.

In fact, highly secure production systems typically don't have a direct connection to the Internet and therefore must route traffic to the cloud through IT or a DMZ. In any case, a multi-hop architecture, also known as a "daisy chain", is required.

In a daisy chain connection, each hop must reliably retransmit all incoming data, while also monitoring downstream clients for network connection failures anywhere in the chain.

Unfortunately, neither OPC-UA nor MQTT were designed for this task and to provide these functions "as-is".

Advanced scenario

An innovative and improved scenario foresees that the entire set of data resides in each node and it is possible to give access to that data to all Clients qualified to use them. This would also allow the IT department full access to data, even those that are directly transmitted to the Cloud service.

This advanced scenario can be implemented using a middleware product such as DataHub by Skkynet, installed on each node that needs to transmit and/or consult this data. DataHub is capable of tunneling data between a node within the plant network and a server in the DMZ or IT without opening any inbound firewall ports to the plant. A second DataHub, either installed in the DMZ or on an IT server, can then transmit data via MQTT to feed the data to the Cloud.

More specifically, the DataHub-to-DataHub connection uses the DataHub Transfer Protocol (DHTP), which sends and receives data in real time using TCP over a LAN, WAN, or the Internet.

The OPC-UA connection to the plant DataHub is a single hop. And the MQTT connection from DataHub to the Cloud service is also a single hop. The DHCP protocol manages daisy-chain connections, mirroring the entire data set and connection status to each node.

DataHub allows access to this data by enabled Clients, as well as transmitting them to the next node in the chain, thus maintaining data consistency.

DATAHUB secure OT-IT connections

Download the white paper!
CLICK HERE

The Quality of Service of the DHCP protocol ensures that any Client or intermediate point in the chain will be consistent with the original data source, and even if some data/events must be discarded to allow transmission with limited bandwidth. If a network connection is lost, DataHub will automatically update data QoS for all related data points to ensure that every Client in the chain is immediately aware of that connection loss.

The result is that with DataHub and its DHTP protocol it is possible to configure an OPC-UA/MQTT gateway connection securely through a DMZ, via IT or another Internet node to the Cloud, which is not always possible with most products IoT gateways on the market which could therefore only be indicated in the typical basic scenario from OPC-UA to MQTT.

This might be fine for consumer and non-critical IoT systems, but industrial IIoT applications require more security, reliability, real-time, and resiliency.

In conclusion: the Skkynet DataHub middleware it is a simple, safe and robust solution for those who have to send data to the Cloud from machinery and plants in industry as well as in utilities.

TRANSMIT YOUR DATA EVERYWHERE (SAFELY) – SKKYNET

Source.

IT/OT convergence

Control Room and HMI

Industrial Cyber Security

Remote control

Food

Building Automation

Energy

Pharmaceutical

Manufacturing

Steel sector

Transportation

Utility

GE VERNOVA

AUVESY-MDT

CLAROTY

Idus AB

Invent

Ocean Data System

ServiTecno

SKKYNET

Stratus Technologies

WIN-911

Assistance programs

Assistance programs

How to request support

For Customers without a Service Code

support@servitecno.it

For Customers with Service Code

support@servitecno.it

02 00.70.31.47

Training